How To Get Rid of trick.trainresistor.cc Malware

By Adrian StoianGuides

More than 431 sites are affected by trick.trainresistor.cc malware, directing users to various ad networks.
This contamination affects PHP files, JS files, wp_posts tables, and site URLs ( wp_options ).

Need help? Let us clean your site.

New guide: https://guides.magefix.com/2022/02/ads-specialadves-com/

trainresistor.cc contamination affects both database and web files, so I would recommend to:
a) Check other sites that share the same hosting account.
If malware infection is widespread, each site should be isolated, to prevent cross-site contamination.
b) Perform a site rebuild for each WordPress instance, manually adding plugins, theme and core files from official sources.

To fix a hacked website, follow these steps:

Step 1
Backup
1. Backup database and web files using a file manager tool, FTP client or ask your web host.
2. Disable MySQL remote access.

Step 2
Reset site URL
Restore site URL: https://wordpress.org/support/article/changing-the-site-url/.
To restore site URLs, edit the wp-config.php file and add the following lines:

define( 'WP_HOME', 'https://example.com' );
define( 'WP_SITEURL', 'https://example.com' );
Step 3
Clean local files
If site rebuild still contains plugins or themes from a previous backup, all index.php and JS files may be corrupted as well.
Look for “$a=chr(“, “chr(104)”, “String.fromCharCode”, “trainresistor”, and “trick.trainresistor.cc”.

Insert the following script inside the pack.php file and place it inside your root folder. This way you can pack all PHP and JS files and scan them locally.

Search and replace tools for malicious strings inside multiple files: dnGrep, grepWin, VisualGrep, PowerGREP.

Step 4
Database check
  • As a precaution measure, look for “trainresistor”, “String.fromCharCode”. This way you will know if other tables are infected as well.
    Injections usually target wp_posts and wp_options tables.
    The following SQL commands may be used to clear any malicious JS:

    • Search and replace database tool for malicious strings: Better Search Replace, Search Replace DB ver. 4.

  • Check users with administrator privileges.
Step 5
Major update
Perform a major update, making sure core files, theme, and plugins are up to date.
Disable and remove any abandoned or suspicious plugins.

Step 6
Blacklist status & Google cache
Site should be verified with Google search console. To refresh indexed pages, ask for a re-index.
This way, any infected cached pages listed on Google will be updated.

Step 7
Cross-site contamination
If you’re using a single shared hosting account for multiple websites, all index.php and JS files may be infected.
So make sure other sites hosted on the server are secured and isolated.

Try our Free site check.

If your Google Ads are suspended, we recommend our Platinum plan – service will include cleanup and Ads support:
https://www.magefix.com/platinum/

Malicious URLs:
hxxps://right.trainresistor[.]cc/follow/?id=457457&
hxxps://ch.trainresistor[.]cc/?v=47&id=547
hxxps://trick.trainresistor[.]cc/a.php?sid=111111&utm_source=754845
hxxps://trick.trainresistor[.]cc/b.php?id=4585693-458-435-2342378
hxxps://trick.trainresistor[.]cc/come.php?id=76967-55-43567896-4
hxxps://blockleftheaders[.]best/go/mzrtgzjzgy5dmojrg4?subid3=biggest&=8&subid4=torry
https://letmeok.com/sw/worker.js
https://blockleftheaders.best/worker1.js
chess.storerightdesicion.com/c.php
line.storerightdesicion.com/ping/?track.js

12/20/2021 update:
https://line.storerightdesicion.com/ping/?track.js
https://chess.storerightdesicion.com/s.php?pid=584-348576743-22
https://chess.storerightdesicion.com/c.php?id=226-658347-44-223895
https://chess.storerightdesicion.com/go.php?id=79699-347-3485623-44
https://greenphorward.best/?p=hbrdiojrmy5gi3bpgy3teoa&sub2=trickseestan&sub1=pelaain

12/21/2021 update:
https://get.belonnanotservice.ga/away?n1=t&/pie-register-login/

Malicious IPs: 45.9.150.78, 45.9.150.64, 80.78.24.100, 167.71.64.21.
Malicious domains: clarktonigh.best, yellowline.best, useclarktonigh.best, tricksterfarm.best, getclarktonigh.best, fingerprintopuch.best, johncarlsberg.best, tryclarktonigh.best, ellowline.best, belonnanotservice.ga, storerightdesicion.com, to8s.biz, greenphorward.best, blockleftheaders.best, simpleworker.biz, appledonttouch.best, fingerprintopuch.top, fingerprintopuch.best, letmeok.com, trainresistor.cc.
Nameservers: ns1.vdsina.ru, ns2.vdsina.ru.

Sample:
String.fromCharCode(104,116,116,112,115,58,47,47,116,114,105,99,107,46,116,114,97,105,110,114,101,115,105,115,116,111,114,46,99,99,47,97,46,112,104,112,63,115,105,100,61,49,49,49,49,49,49,38,117,116,109,95,115,111,117,114,99,101,61,55,53,52,56,52,53)
String.fromCharCode(104,116,116,112,115,58,47,47,99,104,101,115,115,46,115,116,111,114,101,114,105,103,104,116,100,101,115,105,99,105,111,110,46,99,111,109,47,115,46,112,104,112,63,112,105,100,61,53,56,52,45,51,52,56,53,55,54,55,52,51,45,50,50)

Similar hack:
https://guides.magefix.com/2021/09/remove-piterreceiver-ga-malware/